databricks
diff --git a/‎databricks-sdk-java/src/main/java/com/databricks/sdk/core/ConfigAttributeAccessor.java‎
Lines changed: 23 additions & 0 deletions b/‎databricks-sdk-java/src/main/java/com/databricks/sdk/core/ConfigAttributeAccessor.java‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java‎
Lines changed: 10 additions & 0 deletions b/‎databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksConfigTest.java‎
Lines changed: 48 additions & 0 deletions b/‎databricks-sdk-java/src/test/java/com/databricks/sdk/core/DatabricksConfigTest.java‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSourceTest.java‎
Lines changed: 113 additions & 0 deletions b/‎databricks-sdk-java/src/test/java/com/databricks/sdk/core/oauth/DatabricksOAuthTokenSourceTest.java‎
Lines changed: 113 additions & 0 deletions
@@ -2,9 +2,13 @@
 
 import com.databricks.sdk.support.InternalApi;
 import java.lang.reflect.Field;
+import java.lang.reflect.ParameterizedType;
 import java.time.Duration;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.stream.Collectors;
 
 @InternalApi
 class ConfigAttributeAccessor {
@@ -63,6 +67,21 @@ public void setValueOnConfig(DatabricksConfig cfg, String value) throws IllegalA
         field.set(cfg, seconds > 0 ? Duration.ofSeconds(seconds) : null);
       } else if (field.getType() == ProxyConfig.ProxyAuthType.class) {
         field.set(cfg, ProxyConfig.ProxyAuthType.valueOf(value));
+      } else if (List.class.isAssignableFrom(field.getType())) {
+        // Handle List<String> fields (e.g., scopes)
+        // Parse comma and/or whitespace separated values from environment variable or config file
+        if (field.getGenericType() instanceof ParameterizedType) {
+          ParameterizedType paramType = (ParameterizedType) field.getGenericType();
+          if (paramType.getActualTypeArguments().length > 0
+              && paramType.getActualTypeArguments()[0] == String.class) {
+            // Split by commas and/or whitespace and filter out empty strings
+            List<String> list =
+                Arrays.stream(value.trim().split("[,\\s]+"))
+                    .filter(s -> !s.isEmpty())
+                    .collect(Collectors.toList());
+            field.set(cfg, list);
+          }
+        }
       }
       field.setAccessible(false);
     }
@@ -91,6 +110,10 @@ public String toString() {
   }
 
   public String getAsString(Object value) {
+    if (value instanceof List) {
+      // Format lists as space-separated values for consistency with input format
+      return String.join(" ", (List<String>) value);
+    }
     return value.toString();
   }
 
 
@@ -204,6 +204,7 @@ private synchronized DatabricksConfig innerResolve() {
     try {
       ConfigLoader.resolve(this);
       ConfigLoader.validate(this);
+      sortScopes();
       ConfigLoader.fixHostIfNeeded(this);
       initHttp();
       return this;
@@ -212,6 +213,15 @@ private synchronized DatabricksConfig innerResolve() {
     }
   }
 
+  /**
+   * Sort scopes in-place for better de-duplication in the refresh token cache.
+   */
+  private void sortScopes() {
+    if (scopes != null && !scopes.isEmpty()) {
+      java.util.Collections.sort(scopes);
+    }
+  }
+
   private void initHttp() {
     if (httpClient != null) {
       return;
 
@@ -322,4 +322,52 @@ public void testDisableOauthRefreshTokenEnvironmentVariable() {
 
     assertEquals(true, config.getDisableOauthRefreshToken());
   }
+
+  // Config File Scope Parsing Tests
+
+  @Test
+  public void testConfigFileScopesEmptyDefaultsToAllApis() {
+    Map<String, String> env = new HashMap<>();
+    env.put("HOME", "src/test/resources/testdata");
+
+    DatabricksConfig config = new DatabricksConfig().setProfile("scope-empty");
+    config.resolve(new Environment(env, new ArrayList<>(), System.getProperty("os.name")));
+
+    List<String> scopes = config.getScopes();
+    assertEquals(1, scopes.size());
+    assertEquals("all-apis", scopes.get(0));
+  }
+
+  @Test
+  public void testConfigFileScopesSingle() {
+    Map<String, String> env = new HashMap<>();
+    env.put("HOME", "src/test/resources/testdata");
+
+    DatabricksConfig config = new DatabricksConfig().setProfile("scope-single");
+    config.resolve(new Environment(env, new ArrayList<>(), System.getProperty("os.name")));
+
+    List<String> scopes = config.getScopes();
+    assertEquals(1, scopes.size());
+    assertEquals("clusters:read", scopes.get(0));
+  }
+
+  @Test
+  public void testConfigFileScopesMultipleSorted() {
+    Map<String, String> env = new HashMap<>();
+    env.put("HOME", "src/test/resources/testdata");
+
+    DatabricksConfig config = new DatabricksConfig().setProfile("scope-multiple");
+    config.resolve(new Environment(env, new ArrayList<>(), System.getProperty("os.name")));
+
+    List<String> scopes = config.getScopes();
+    // Should be sorted alphabetically
+    assertEquals(7, scopes.size());
+    assertEquals("clusters:read", scopes.get(0));
+    assertEquals("files:read", scopes.get(1));
+    assertEquals("iam:read", scopes.get(2));
+    assertEquals("jobs:read", scopes.get(3));
+    assertEquals("mlflow:read", scopes.get(4));
+    assertEquals("model-serving:read", scopes.get(5));
+    assertEquals("pipelines:read", scopes.get(6));
+  }
 }
@@ -12,9 +12,12 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.mockito.Mockito;
@@ -335,4 +338,114 @@ void testTokenSource(TestCase testCase) {
       verify(testCase.idTokenSource, atLeastOnce()).getIDToken(testCase.expectedAudience);
     }
   }
+
+  // Scope-specific tests for WIF/OIDC token exchange
+
+  @Test
+  void testDefaultScopesInTokenExchange() throws IOException {
+    // Verify default "all-apis" scope is used when no scopes specified
+    OpenIDConnectEndpoints testEndpoints =
+        new OpenIDConnectEndpoints(TEST_TOKEN_ENDPOINT, TEST_AUTHORIZATION_ENDPOINT);
+    IDTokenSource testIdTokenSource = Mockito.mock(IDTokenSource.class);
+    when(testIdTokenSource.getIDToken(any())).thenReturn(new IDToken(TEST_ID_TOKEN));
+
+    Map<String, Object> successResponse = new HashMap<>();
+    successResponse.put("access_token", TOKEN);
+    successResponse.put("token_type", TOKEN_TYPE);
+    successResponse.put("expires_in", EXPIRES_IN);
+    String successJson = new ObjectMapper().writeValueAsString(successResponse);
+
+    // Expected request with default scope
+    Map<String, String> formParams = new HashMap<>();
+    formParams.put("client_id", TEST_CLIENT_ID);
+    formParams.put("subject_token", TEST_ID_TOKEN);
+    formParams.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
+    formParams.put("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange");
+    formParams.put("scope", "all-apis");
+    FormRequest expectedRequest = new FormRequest(TEST_TOKEN_ENDPOINT, formParams);
+
+    HttpClient mockHttpClient = createMockHttpClient(expectedRequest, 200, successJson);
+
+    DatabricksOAuthTokenSource tokenSource =
+        new DatabricksOAuthTokenSource.Builder(
+                TEST_CLIENT_ID, TEST_HOST, testEndpoints, testIdTokenSource, mockHttpClient)
+            .scopes(Arrays.asList("all-apis"))
+            .build();
+
+    Token token = tokenSource.getToken();
+    assertEquals(TOKEN, token.getAccessToken());
+  }
+
+  @Test
+  void testCustomScopesInTokenExchange() throws IOException {
+    // Verify custom scopes are correctly passed to token exchange
+    OpenIDConnectEndpoints testEndpoints =
+        new OpenIDConnectEndpoints(TEST_TOKEN_ENDPOINT, TEST_AUTHORIZATION_ENDPOINT);
+    IDTokenSource testIdTokenSource = Mockito.mock(IDTokenSource.class);
+    when(testIdTokenSource.getIDToken(any())).thenReturn(new IDToken(TEST_ID_TOKEN));
+
+    Map<String, Object> successResponse = new HashMap<>();
+    successResponse.put("access_token", TOKEN);
+    successResponse.put("token_type", TOKEN_TYPE);
+    successResponse.put("expires_in", EXPIRES_IN);
+    String successJson = new ObjectMapper().writeValueAsString(successResponse);
+
+    // Expected request with custom scope
+    Map<String, String> formParams = new HashMap<>();
+    formParams.put("client_id", TEST_CLIENT_ID);
+    formParams.put("subject_token", TEST_ID_TOKEN);
+    formParams.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
+    formParams.put("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange");
+    formParams.put("scope", "unity-catalog:read");
+    FormRequest expectedRequest = new FormRequest(TEST_TOKEN_ENDPOINT, formParams);
+
+    HttpClient mockHttpClient = createMockHttpClient(expectedRequest, 200, successJson);
+
+    DatabricksOAuthTokenSource tokenSource =
+        new DatabricksOAuthTokenSource.Builder(
+                TEST_CLIENT_ID, TEST_HOST, testEndpoints, testIdTokenSource, mockHttpClient)
+            .scopes(Arrays.asList("unity-catalog:read"))
+            .build();
+
+    Token token = tokenSource.getToken();
+    assertEquals(TOKEN, token.getAccessToken());
+  }
+
+  @Test
+  void testMultipleScopesJoinedWithSpaces() throws IOException {
+    // Verify multiple scopes are joined with spaces in token exchange request
+    OpenIDConnectEndpoints testEndpoints =
+        new OpenIDConnectEndpoints(TEST_TOKEN_ENDPOINT, TEST_AUTHORIZATION_ENDPOINT);
+    IDTokenSource testIdTokenSource = Mockito.mock(IDTokenSource.class);
+    when(testIdTokenSource.getIDToken(any())).thenReturn(new IDToken(TEST_ID_TOKEN));
+
+    Map<String, Object> successResponse = new HashMap<>();
+    successResponse.put("access_token", TOKEN);
+    successResponse.put("token_type", TOKEN_TYPE);
+    successResponse.put("expires_in", EXPIRES_IN);
+    String successJson = new ObjectMapper().writeValueAsString(successResponse);
+
+    // Scopes should be sorted before being passed (sorted in DatabricksConfig.resolve())
+    List<String> scopes = Arrays.asList("clusters:read", "jobs:read", "mlflow:read");
+
+    // Expected request with multiple scopes joined by spaces
+    Map<String, String> formParams = new HashMap<>();
+    formParams.put("client_id", TEST_CLIENT_ID);
+    formParams.put("subject_token", TEST_ID_TOKEN);
+    formParams.put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
+    formParams.put("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange");
+    formParams.put("scope", "clusters:read jobs:read mlflow:read");
+    FormRequest expectedRequest = new FormRequest(TEST_TOKEN_ENDPOINT, formParams);
+
+    HttpClient mockHttpClient = createMockHttpClient(expectedRequest, 200, successJson);
+
+    DatabricksOAuthTokenSource tokenSource =
+        new DatabricksOAuthTokenSource.Builder(
+                TEST_CLIENT_ID, TEST_HOST, testEndpoints, testIdTokenSource, mockHttpClient)
+            .scopes(scopes)
+            .build();
+
+    Token token = tokenSource.getToken();
+    assertEquals(TOKEN, token.getAccessToken());
+  }
 }